What is Phishing?

Phishing is one of the more notorious forms of attack out there today and has been responsible for some of the most well-known security breaches. Phishing is when an intended victim is contacted by email, phone or text message by a cybercriminal pretending to be a legitimate institution or person. The victim will be asked to provide sensitive information (credit card numbers, usernames, passwords, etc). The attack might ask for a response to their email/text or they might ask you to click on a link that drives to a fake landing page that either attempts to collect your credentials or loads malware on your system.

Why do attackers use Phishing?

These phishing communications do look legitimate, and they have tricked people from technology novices to IT professionals. Attackers primarily use phishing to steal money or data. However, some cybercriminals are increasingly using phishing to impersonate individuals with access to coveted networks or systems by obtaining the login information for their work accounts, for example. There have been several recent cases where hackers obtained employees’ usernames and passwords and were able to gain unauthorized access to internal work systems. And once threat actors are in your system, looking like legitimate users, it’s hard to root them out.

Attackers could also use a phishing attack to infect your device with malware by urging you to click on a link. Once malware is on your device all bets are off. If your organization doesn’t have updated security strategies, that malware can move from device to device, deploying additional malware, stealing sensitive information, enlisting devices into a botnet or even sending spam from your email.

How can I tell if I’m being targeted by a phishing campaign?

Phishing is extremely successful because it preys on people – the attacker isn’t trying to trick a system or bypass a security policy, it’s trying to trick you and me. There are a few key features of phishing communication:

1. It’s too good to be true: “You’ve won $10,000, just send us your bank information to deposit the funds”. If it sounds too good to be true, it’s actually too good to be true.
2. Sense of Urgency: “If you don’t respond to us right now your bank account will be suspended”. Remember it’s very rare that you need to do something immediately “or else”. Attackers might even send out security alerts themselves “Something is wrong with your account, click here to verify your information.”
3. Hyperlinks: “Click here to contact us and solve XYZ issue”. This is what trips a lot of people up. Here’s an easy-solve button for you to click. Hovering over links can help you see where they’re directing you – always look before clicking.
4. Attachments: “Download now!” It can seem like an email is trying to provide you with information instead of trying to get you to give up information. Attachments can hold malicious payloads aiming to infect your device.
5. Something seems off: “We’ve held your account now.” Whether there are typos in the message or the sender’s email address is off, some phishing communication is poorly written. However, attackers are getting more and more accurate with their spelling and grammar.

While I was writing this blog, I was targeted by two different phishing scams – one on my work email and one on my cell phone via text. As you can see – they have a lot of the features I explained above – weird sender, poor grammar, sense of urgency, and links to click.

How can I protect myself from phishing campaigns?

There are a few ways you can help the fight against phishing attacks. I can’t say this enough: DON’T CLICK ON ANYTHING UNLESS YOU’RE 100% SURE OF WHO THE SENDER IS. This may seem like common sense, but this is how many ransomware attacks, DDoS botnets and security breaches have occurred. If you’re unsure about anything – contact the suspected sender directly, by phone, a new email, text, or IM. Ask them if they actually contacted you to begin with.

If you have received a phishing communication at work, reach out to your IT team – other employees could have been contacted with the same email and your email security can be updated to put the malicious email into junk mail.

If you’re a leader in your organization, try to push security awareness training out to coworkers and employees. Lumen can help empower your teams to proactively identify, act and respond to security threats with Cybersecurity Awareness Training. Security is everyone’s job today, and we all need to be equipped with how to protect ourselves.

Defend your organization from phishing attacks and more!

This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome for the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue.